A software as a service database system is built using a metadata object graph. Developers of the database system create a set of functionality for their customers including business process operating on the object graph, reporting based on the object graph, integrated applications, etc. As the customer base of the database system grows, new functionality and applications are desired by the customers outside of the scope of the core business. Enabling outside (e.g., third party) developers to contribute functionality on the database system is desirable. However, this creates a problem where third party developer code must be guaranteed to interact with the database system safely—for example, without danger of damaging the metadata object graph and tolerant to updates of the database system.